Microsoft Azure: Planning, Deploying, and Managing the Cloud
()
About this ebook
Gain the technical and business insight needed to plan, deploy, and manage the services provided by the Microsoft Azure cloud. This second edition focuses on improving operational decision tipping points for the professionals leading DevOps and security teams. This will allow you to make an informed decision concerning the workloads appropriate for your growing business in the Azure public cloud.
Microsoft Azure starts with an introduction to Azure along with an overview of its architecture services such as IaaS and PaaS. You’ll also take a look into Azure’s data, artificial intelligence, and machine learning services. Moving on, you will cover the planning for and adoption of Azure where you will go through budgeting, cloud economics, and designing a hybrid data center. Along the way, you will work with web apps, network PaaS, virtual machines, and much more.
The final section of the book starts with Azure data services and big data with anin-depth discussion of Azure SQL Database, CosmosDB, Azure Data Lakes, and MySQL. You will further see how to migrate on-premises databases to Azure and use data engineering. Next, you will discover the various Azure services for application developers, including Azure DevOps and ASP.NET web apps. Finally, you will go through the machine learning and AI tools in Azure, including Azure Cognitive Services.
What You Will Learn
Who This Book Is For
Azure architects and business professionals looking for Azure deployment and implementation advice.
Related to Microsoft Azure
Related ebooks
Cyber Security on Azure: An IT Professional’s Guide to Microsoft Azure Security Rating: 0 out of 5 stars0 ratingsCisco Networks: Engineers' Handbook of Routing, Switching, and Security with IOS, NX-OS, and ASA Rating: 0 out of 5 stars0 ratingsDeveloping Applications with Azure Active Directory: Principles of Authentication and Authorization for Architects and Developers Rating: 0 out of 5 stars0 ratingsBeginning Security with Microsoft Technologies: Protecting Office 365, Devices, and Data Rating: 0 out of 5 stars0 ratingsThe SQL Server DBA’s Guide to Docker Containers: Agile Deployment without Infrastructure Lock-in Rating: 0 out of 5 stars0 ratingsDevOps for Azure Applications: Deploy Web Applications on Azure Rating: 0 out of 5 stars0 ratingsData Lake Analytics on Microsoft Azure: A Practitioner's Guide to Big Data Engineering Rating: 0 out of 5 stars0 ratingsBeginning Azure Synapse Analytics: Transition from Data Warehouse to Data Lakehouse Rating: 0 out of 5 stars0 ratingsArchitecting CSS: The Programmer’s Guide to Effective Style Sheets Rating: 0 out of 5 stars0 ratings.NET DevOps for Azure: A Developer's Guide to DevOps Architecture the Right Way Rating: 0 out of 5 stars0 ratingsPractical Azure SQL Database for Modern Developers: Building Applications in the Microsoft Cloud Rating: 0 out of 5 stars0 ratingsBuilding Microservices Applications on Microsoft Azure: Designing, Developing, Deploying, and Monitoring Rating: 0 out of 5 stars0 ratingsEthereal Packet Sniffing Rating: 0 out of 5 stars0 ratingsPowerShell and Python Together: Targeting Digital Investigations Rating: 0 out of 5 stars0 ratingsPowerShell Essential Guide: Master the fundamentals of PowerShell scripting and automation (English Edition) Rating: 0 out of 5 stars0 ratingsIntroducing Azure Bot Service: Building Bots for Business Rating: 0 out of 5 stars0 ratingsData Science Solutions on Azure: Tools and Techniques Using Databricks and MLOps Rating: 0 out of 5 stars0 ratingsUnderstanding Microsoft Teams Administration: Configure, Customize, and Manage the Teams Experience Rating: 0 out of 5 stars0 ratingsUnderstanding Azure Data Factory: Operationalizing Big Data and Advanced Analytics Solutions Rating: 0 out of 5 stars0 ratingsDocker Complete Self-Assessment Guide Rating: 0 out of 5 stars0 ratingsDemystifying the Azure Well-Architected Framework: Guiding Principles and Design Best Practices for Azure Workloads Rating: 0 out of 5 stars0 ratingsAzure Cloud Computing Az-900 Exam Study Guide: 4 In 1 Microsoft Azure Cloud Deployment, Security, Privacy & Pricing Concepts Rating: 0 out of 5 stars0 ratingsMicrosoft Exchange Server 2016 Administration Guide: Deploy, Manage and Administer Microsoft Exchange Server 2016 Rating: 0 out of 5 stars0 ratingsApple Device Management: A Unified Theory of Managing Macs, iPads, iPhones, and AppleTVs Rating: 0 out of 5 stars0 ratingsAzure DevOps for Web Developers: Streamlined Application Development Using Azure DevOps Features Rating: 0 out of 5 stars0 ratingsAzure Security Handbook: A Comprehensive Guide for Defending Your Enterprise Environment Rating: 0 out of 5 stars0 ratingsHands-on Azure Boards: Configuring and Customizing Process Workflows in Azure DevOps Services Rating: 0 out of 5 stars0 ratingsBeginning Application Lifecycle Management Rating: 0 out of 5 stars0 ratingsMS-900: Microsoft 365 Fundamentals Practice Questions First Edition Rating: 5 out of 5 stars5/5
Programming For You
Python Programming : How to Code Python Fast In Just 24 Hours With 7 Simple Steps Rating: 4 out of 5 stars4/5Coding All-in-One For Dummies Rating: 4 out of 5 stars4/5C++ Learn in 24 Hours Rating: 0 out of 5 stars0 ratingsPYTHON: Practical Python Programming For Beginners & Experts With Hands-on Project Rating: 5 out of 5 stars5/5SQL QuickStart Guide: The Simplified Beginner's Guide to Managing, Analyzing, and Manipulating Data With SQL Rating: 4 out of 5 stars4/5Excel : The Ultimate Comprehensive Step-By-Step Guide to the Basics of Excel Programming: 1 Rating: 5 out of 5 stars5/5Learn to Code. Get a Job. The Ultimate Guide to Learning and Getting Hired as a Developer. Rating: 5 out of 5 stars5/5C# 7.0 All-in-One For Dummies Rating: 0 out of 5 stars0 ratingsGrokking Algorithms: An illustrated guide for programmers and other curious people Rating: 4 out of 5 stars4/5HTML & CSS: Learn the Fundaments in 7 Days Rating: 4 out of 5 stars4/5Python: For Beginners A Crash Course Guide To Learn Python in 1 Week Rating: 4 out of 5 stars4/5Learn PowerShell in a Month of Lunches, Fourth Edition: Covers Windows, Linux, and macOS Rating: 0 out of 5 stars0 ratingsHacking: Ultimate Beginner's Guide for Computer Hacking in 2018 and Beyond: Hacking in 2018, #1 Rating: 4 out of 5 stars4/5Java for Beginners: A Crash Course to Learn Java Programming in 1 Week Rating: 5 out of 5 stars5/5Python: Learn Python in 24 Hours Rating: 4 out of 5 stars4/5Learn SQL in 24 Hours Rating: 5 out of 5 stars5/5SQL: For Beginners: Your Guide To Easily Learn SQL Programming in 7 Days Rating: 5 out of 5 stars5/5SQL All-in-One For Dummies Rating: 3 out of 5 stars3/5Data Structures and Algorithm Analysis in Java, Third Edition Rating: 4 out of 5 stars4/5Linux: Learn in 24 Hours Rating: 5 out of 5 stars5/5Game Development with Unreal Engine 5: Learn the Basics of Game Development in Unreal Engine 5 (English Edition) Rating: 0 out of 5 stars0 ratings
Reviews for Microsoft Azure
0 ratings0 reviews
Book preview
Microsoft Azure - Julian Soh
Part IIntroducing Microsoft Azure
© Julian Soh, Marshall Copeland, Anthony Puca, and Micheleen Harris 2020
J. Soh et al.Microsoft Azurehttps://doi.org/10.1007/978-1-4842-5958-0_1
1. Microsoft Azure and Cloud Computing
Julian Soh¹ , Marshall Copeland², Anthony Puca³ and Micheleen Harris¹
(1)
Washington, WA, USA
(2)
Texas, TX, USA
(3)
Colorado, CO, USA
Cloud computing as a platform does not require a review; however, the hundreds of new services and updated changes to the Microsoft Azure public cloud can be a great investment for your business. Updated Azure core services and new business services are explained in this book to further your knowledge. This book was written for both technical and business readers to gain greater skills through our guidance.
This book is updated in its second edition. We know that reader commitment goes beyond the cover price; it is spent in the value of your time learning. You cannot afford to waste one hour, so we are dedicated to earning your commitment on every page and in every chapter by providing you the most timely and updated guidance on Microsoft Azure services. We provide guidance and information to help you understand the details and completed code in the book as well as additional examples on the public GitHub location.
Note
All the code for the software-defined infrastructure (both Microsoft Azure ARM templates and HashiCorp Terraform) can be downloaded at https://github.com/harris-soh-copeland-puca.
In this chapter, you learn about many new features and best-in-cloud improvements that are integrated and deployed through various methods in the Azure platform. This chapter is written as a high-level introduction to updated features that have been greatly enhanced or are new to the platform. The other chapters provide in-depth information on topics, to provide guidance and configuration.
Where Is Microsoft Azure Today?
One of the challenges for technical readers may be having expertise in other cloud solutions and relating to Microsoft Azure terminology. You are first guided through Azure services and cloud products to identify a cloud service, and then in later chapters, we provide a deeper look at how to create, deploy, and manage that service. Azure services are continuously updated, and you need to understand the details to enable technologies to support your business and leverage updated Azure platform services. The market drives features that benefit business revenue, and cloud computing customers are requesting continuous innovation from Microsoft.
The Microsoft Azure additions have grown out of teams that expand beyond the Redmond campus to include global collaboration with businesses, customers, universities, and governments to expand Microsoft Azure services. The incorporated feedback provides a road map that, like software development, leverages a CI/CD (continuous integration/continuous deployment) pipeline. Azure services and resources change and adapt much more rapidly than traditional on-premises software deployment cycles.
The information provided is written with the intent to eliminate unnecessary acronyms. Some are unavoidable, and many are overused in online documentation. Depending on your business role, some acronyms are indispensable and are used in more than one workflow, and if you are skimming information, it can be confusing. For example, SDLC (software development life cycle) is used in Agile delivery conversations. If the topic also includes cybersecurity, then SDLC means security development life cycle.
Agile is a term used in software development conversations; it is not an acronym but a process for delivering software in a short schedule. Another example is continuous integration/continuous deployment (CICD or CI/CD). It is a term that is used in more than software delivery; for example, Azure documentation is updated on GitHub and delivered directly to websites.
Note
This chapter provides an overview of many of the fundamental Azure features with additional chapters providing deep dives and guidance.
Azure Availability
Azure has an infrastructure that is geographically identified globally, regionally, and by zone. Azure regions are based on countries and broken into geographies. This is important because specific regions have failover availability and services that are available in a region. Not all services are available in all regions across the globe.
Azure regions are several datacenters deployed within a perimeter. They provide low network latency for communication within those regions and inside those datacenters. Many of the datacenters’ physical buildings are aligned together as one location; they are described as a datacenter campus in some documentation. An entire datacenter can failover for another datacenter in the Azure region. Some of the Azure regions (in the United States, for example) are identified as Central US or East US in the Azure public cloud.
A Microsoft Azure region supports at least two physically separate locations that preserve data within a specific compliance boundary. Geographies allow customers to maintain data inside known locations by geographic boundaries. Geographic boundaries are connected using dedicated low-latency networks and include regions in the United States and around the globe, but it is more apparent when you look at geographic regions in Europe. For example, Azure regions in Europe include North Europe and West Europe, which support each other to provide high availability; likewise, North Germany and West Germany specifically maintain data inside Germany’s borders.
Azure availability zones include at least two Azure regions, which are physically separated by hundreds of miles to support more than one location for high availability. The datacenter equipment includes redundant power, redundant cooling, and redundant network connectivity. High availability requires an architecture that considers both infrastructure as a service (IaaS) and platform as a service (PaaS). High availability does not include backup and recovery, which is included in the architecture for disaster recovery processes.
../images/336094_2_En_1_Chapter/336094_2_En_1_Fig1_HTML.jpgFigure 1-1
Azure geographic boundary with regional pairs
For the Azure Government cloud, we use USDOD central or USDODE. Other regions support both the US public cloud and the US Azure Government clouds. To learn more about the Azure regions across the United States, Europe, and Asia, go to https://azure.microsoft.com/is-is/global-infrastructure/geographies/.
Azure Government is significantly different from other cloud services providers because it specifically addresses technical and mandatory regulatory requirements, such as
FedRAMP
FISMA
FBI Criminal Justice Information Systems (CJIS)
Often, these government-specific requirements make it difficult for cloud services providers to scale up. Also, special SLAs (service-level agreements) and compliance requirements can cause providers to be penalized for noncompliance. For example, the FBI CJIS requires that a cloud service provider’s personnel be background-checked and fingerprinted.
The Azure Government cloud was the first cloud to be consistent with the 13 areas defined in the CJIS security policy.
Note
Standards apply to all customers using Azure cloud, Public or Government. Microsoft datacenter personnel are background-checked and fingerprinted, the same personnel are responsible for the service. Standards such as CJIS apply to all customers using Azure Government. Use the contact email cjis@microsoft.com for information on which services are currently available in specific states across the United States.
The Azure SLA for availability Each Microsoft Azure service has an SLA based on the region the service is available in. The most up-to-date SLA information is available at https://azure.microsoft.com/en-us/support/legal/sla/. The Azure SLA for availability zones offers 99.99% virtual machine (VM) uptime.
Azure Compliance
Azure maintains more than 90 compliance certifications, which include ones that specifically support regions and countries. These certifications are built to meet industry standards for IT and cloud-computing services. Azure’s industry-recognized certifications are at https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-home?view=o365-worldwide.
../images/336094_2_En_1_Chapter/336094_2_En_1_Fig2_HTML.jpgFigure 1-2
Azure compliance offerings
Certifications govern Azure’s suitability for specific industry use, and they form the basis of customer trust. Third-party auditors, who are recognized by certification bodies, independently verify each certification. There is also a requirement for recertification and periodic audits to ensure compliance with all certifications.
Microsoft is a member of the advisory committee for many certification bodies, and it provides feedback and recommendations on proposed changes. Microsoft has visibility in many upcoming changes, which allows them to incorporate changes in the Azure platform in a timely manner.
Microsoft Azure Subscriptions
An Azure subscription is a large collection of services in your Azure account for identifying, controlling, and providing governance of those resources. Azure Active Directory is used in the provisioning of resources through ARM being able to use the role-based access control applied to specific resources. There are several ways to purchase an Azure subscription.
Free trial
Pay as you go
Visual Studio MSDN (testing only)
Microsoft resellers
open license platform plus
Microsoft enterprise account agreements
Azure role-based administration allows user and machine accounts access to resources in your Azure subscription; however, at a high level, there are administrative roles that are limited to the number of roles per subscription. Before we take a deeper dive into administration accounts, a few definitions need to be reviewed.
The term Azure resource designates an entity or an intelligent object that is managed by Azure. Simple examples are a virtual network (VNet), a storage account, or a virtual machine (VM). All three are Azure resources; they are not Azure services.
An Azure service is an automated deployment of a VM, VNet, or storage account.
An Azure resource group allows the grouping of resources that have the same life cycle and security requirements. Like individual services, a resource group can assign privileged access to multiple Azure roles.
Note
One Azure account can have multiple Azure subscriptions associated with it.
An Azure subscription name is limited to a maximum of 64 characters, and the name cannot be changed. It is an important planning decision for administrative roles support for your Azure subscription.
Note
Be aware the person who completes the Azure subscription sign up wizard is assigned the Global Administrator role.
It is important to realize that a Global Administrator and a Privileged Role Administrator can delegate administrator roles to other users in Azure AD. Table 1-1 provides key roles for Azure subscription users to consider for management and to support security needs, such as separation of duties.
Table 1-1
Azure Account Roles, Limits, and Descriptions
There is one Account Administrator per Azure subscription; this role authorizes and creates additional accounts for access to a subscription. This account allows you to change billing information and services administration. There is one Service Administrator account per Azure subscription, and it authorizes management access to the management portal for subscriptions. In a subscription, the Co-Administrator account is unlimited.
Note
It is important to be aware of the current limits of a subscription. Review this at https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits.
Some of the Azure subscription resources include the default and maximum limit per subscription. If the Maximum Limit column reads contact support, it is known as a soft limit, which can be increased based on business needs.
Azure Cost Management
Investment in the Azure cloud should begin at the planning stage with an agreed approach to maximize the deployment investment and understand the total cost by breaking down the individual services and resources costs. The management of active work services with network flow and customer data storage costs are some of the information needed to budget Azure cloud utilization.
An Azure subscription is the primary purchasing vehicle for Azure services, your are charged based on utilization. Azure is billed monthly, with the billing data that is collected, processed, and displayed in the Azure portal.
Azure resources emit data for process billing usage differently, and active services maintain different reporting cycles. Cost factors include usage, Azure Marketplace third-party purchases, and service rates assessed based on subscription type (Government, Enterprise Agreement, pay-as-you-go, etc.).
Azure subscription pricing is found on the portal. Log in to the Azure portal, select Services ➤ Subscription to display the current costs, as shown in Figure 1-3.
../images/336094_2_En_1_Chapter/336094_2_En_1_Fig3_HTML.jpgFigure 1-3
Azure cost by resource in the Azure portal
Azure EA is a monetary commitment designed for large enterprises to pre-pay for Azure services on an annual basis based on estimated usage. An organization pays the estimated amount as part of the EA (enterprise agreement) renewal. It may be eligible for a discounted rate. Azure EA scopes and individual agreement scopes offer a finite view of resources; most often, Azure resources are grouped together.
The individual resources generally have the same life cycle and belong to a specific billing project in each resource group to better manage costs. The scopes are aligned to business groups to manage Azure resource costs. In addition to scopes, Microsoft supports two hierarchy roles above the Azure subscription level: one to manage billing data, payments, and invoices and one for cloud cost with cloud governance.
The methodology to support costs includes tools, processes, and resources. Microsoft Azure provides a pricing calculator, and closely estimate spending costs. You can create a plan to use the correctly sized resources based on estimated business needs. Azure services scale up (north and south) and out (east and west) on demand, so utilization costs can support the services used for optimal Azure services for better return of investment (ROI).
Note
Azure’s ability to support multiple subscriptions in one Azure account makes it easier to do separate billing. This is especially useful in bill-back scenarios.
Azure Resource Manager
Azure subscriptions leverage Azure Active Directory to apply user access to manage services, usually at the resource group level. Azure Resource Manager (ARM) is the management layer to create, edit, move, and delete resources in your Azure subscription. Figure 1-4 shows how ARM supports updates from requests for the services managed.
../images/336094_2_En_1_Chapter/336094_2_En_1_Fig4_HTML.jpgFigure 1-4
Logical view of ARM processing
In the first edition of this book, resources were deployed using both ARM and Azure Service Manager (ASM). ASM was the classic deployment model retired in June 2018. This edition supports Azure Resource Manager (ARM). Azure ARM supports Role Based Access Control (RBAC) It allows you to assign permissions at a more granular level.
You can configure Azure policies that directly support your overall governance security model. You can also use this information to analyze the cost of Azure with reports from log analytics.
Microsoft Azure Identity
Active Directory (AD) is the built-in identity and access management service available with your Microsoft Azure subscription. Azure AD authenticates users, machines, and services. Only after authentication is a request authorized to access Azure data or to perform work. AD also supports multifactor authentication (MFA) by using a second identification method, such as a mobile phone, a security token (or authentication token) device, or a certificate-based smart card. Strong, secure authentication is critical for businesses to support access to data or services. If Azure business policies follow the least privileged model, then users, applications, and services are granted appropriate access.
Identity services provided by the Azure platform are used in unison to provide identity and access management (IAM). The security access model includes tools and processes that support users, services, and systems by managing the workflow of access to data. Identity is the best security boundary for the validation of users, services, or services in the Azure cloud platform. In the cloud security architectures design with layers of security with management of identity being the most important security layer.
The security triad used to describe goals of security, CIA, confidentiality, integrity, and availability triad (see Figure 1-5).
../images/336094_2_En_1_Chapter/336094_2_En_1_Fig5_HTML.jpgFigure 1-5
CIA security triad
The triad is a visual representation of the Security triangle, one leg supports the other two legs. If they don’t work together or security is compromised.
Confidentiality means that data cannot be viewed or used by anyone that has not been authorized. This pillar of information security immediately protects data from unauthorized use.
Integrity refers to data being changed or altered without the data owners’ consent or knowledge. Microsoft Azure supports specific RBAC roles to prevent unauthorized changes and uses auditing to validate integrity.
Availability references the requirements to access data. It uses security availability and should not be included with Azure services that support high availability or virtual servers.
There is one other security consideration related to both identity and integrity: nonrepudiation. This security implication supports the legal claim that the authenticity of the author can be validated. Again, access control and authentication methods play a big part in Microsoft identity.
Our recommendation for businesses is to choose one of the two fully-featured Active Directory editions: Premium (P1) or Premium (P2). There are many features enabled with P1 or P2; however, some businesses benefit most from Premium 2.
Table 1-2 is a subset of features. It should be reviewed with your Chief Information Security Officer (CISO).
Table 1-2
Subset of Azure Active Directory Premium Editions
Note
Please review the list of Azure Active Directory features at https://azure.microsoft.com/en-us/pricing/details/active-directory/.
Microsoft Azure Active Directory and Azure Resource Manager are used in multiple discussions throughout this book. The intent is to introduce them now and provide a foundation on the importance of identity, authorization, and least privileged.
Azure Security
Microsoft Azure cloud security services are designed with layers of cloud security and support a zero-trust security model. Cloud identity should be your network parameter, and not the TCP/IP security associated with an on-premises datacenter. During the process of moving workloads from on-premises to the cloud, commonly called a lift and shift workflow , we must leverage cloud identity to protect data. A DevOps team writes and tests code for the cloud differently from on-premises architecture applications.
As you learn about Azure infrastructure as a service (IaaS) and include platform as a service (PaaS) those responsibilities of access to data, services, and servers is critical in Azure. Public cloud providers have mastered physical security, which prevents access to the datacenter, and gaining access to physical servers. Now we must architect a network security model in the cloud with the software-defined network (SDN) and use the best security features available, including cloud-native, third-party, and software-defined security services.
The goal of Azure security is to reduce the attack surface area from bad actors or hackers. It reduces but does not eliminate all security threats; no cloud provider claims to eliminate all threats. They reduce threat risks. Some of this is from a layered approach that lowers the chance of a potential breach in your cloud infrastructure.
Security architecture follows the security baseline framework. Most companies that are new to the cloud start with a traditional model from a traditional IT security framework. Security for Microsoft Azure is designed to scale with the elasticity of the cloud model that supports high availability and scalability of both IaaS and PaaS when Azure services are created and deleted.
The Azure security framework supports a security life cycle that allows you to design threat mitigation, which includes testing with your security processes. The remediation and reduction of threats is a life cycle management goal, especially for security artifacts. Some of the individual components in security life cycle management are threat modeling, identification, and inventory. Security testing is an interactive process to support overall security. Microsoft Azure monitoring provides security alerts and security controls that identify threats and vulnerabilities in your Azure infrastructure. The cloud layered security model is shown in Figure 1-6.
../images/336094_2_En_1_Chapter/336094_2_En_1_Fig6_HTML.jpgFigure 1-6
Azure cloud-layered security
Microsoft Azure security provides a layered security approach in the cloud from a virtual perspective and a physical perspective. The physical Azure datacenters are protected from intrusion. The way that Microsoft personnel and operations teams provide security is covered at https://docs.microsoft.com/en-us/azure/security/fundamentals/physical-security.
Microsoft Azure security layering includes, DDoS protection, Distributed Denial of Service. The prevention includes monitoring of public IP addresses, support for software-defined networks (VNet), and their isolation network security groups (NSG). The supporting those features all work together in a layered security model.
Azure network security groups are cloud-native implementations that allow or deny based on TCP/IP protocols, ports, origin IP addresses, and the destination IP address. The cloud-native network security group (NSG) applies inbound and outbound rules to TCP/IP data flow.
Firewalls can be used as cloud-native or third-party virtual systems in addition to the network security groups provided in Microsoft Azure. Firewalls are available through the Azure marketplace; you can use industry standards, including Palo Alto, Checkpoint, Barracuda, and F5. You can enable firewalls at the operating system level for both Windows machines and Linux servers, which increases your layered security in the Azure cloud.
Security is a broad topic. Cloud security teams and cloud administrators are familiar with the terms jump server and bastion server (see Chapter 13). It is a specific security implementation that has pros and cons. A jump server or a bastion host is normally deployed in a perimeter zone network and allows connectivity to support remote administration. You could limit a bastion host’s network connectivity to allow access to only a few Azure security services.
A bastion server maintains access to support configuration and administration of the cloud services. Multiple jump servers compartmentalize connectivity from administrators into specific Azure servers and services, which reduces the vulnerability compromise.
Azure monitoring provides integration from the Azure portal, PowerShell, or the REST API to review, collect activity logs, and monitor logs specifically in an Azure subscription. Security metrics diagnostic settings and log searchers can be used inside Azure or exported into other SIEM solutions, such as Splunk or Sonra.
The Azure Security Center provides integration into both IaaS and PaaS. It provides recommendations based on compute workloads, network configurations, network security groups, data storage models, and applications, and it can configure security alerts.
Penetration testing is a standard part of any robust security program. Microsoft conducts regular penetration tests against the Azure platform. The program goes a step further by incorporating a white hat feature that allows customers to conduct their own penetration testing. Customers are required to agree to the terms of penetration testing, submit a request form, and receive approval before conducting such tests. The terms and the request form are at the Microsoft Azure Trust Center (see https://security-forms.azure.com/penetration-testing/terms).
Azure Sentinel
Changes are greatly anticipated, and the reduced development life cycle is one of the key benefits of Azure cloud computing. Microsoft Azure Sentinel is a cloud-native security information and event management (SIEM) solution. Sentinel can be enabled in your subscription to collect data from both Azure and on-premises log files. It was designed as artificial intelligence (AI) to investigate, detect, and respond to incidents using automation and orchestration.
Azure Sentinel supports cloud or on-premises data and supports connection to third-party security data sources, including network equipment and traditional security appliances, like firewalls. Once the data is flowing, the aggregated data provides insight from Azure cloud scaling to consume the data. This solution supports the Blue Team hunting techniques of using the IntelliSense query language, creating notebooks for automated investigation, and sharing the queries to Security Operations Centers (SOC).
Previewing New Security Features
Azure services are released once the preview period’s goals have been achieved. They are often new services that are considered opt-in
features. It is fair to use the milestone of achievement instead of a specific timeline, because preview features, some with partner co-engineering teams, may begin later than expected. They may also require more engineering time to validate the features on a global deployment scale with support in specific Azure regions.
You need to stay ahead of new features that help your business. You must opt into some preview features for specific resource testing. An example of this is the deployment of Field Programmable Gate Array (FPGA); The chip has specialized circuits used on the host hardware (Azure Hyper-V server) to increase virtual network efficiencies. Without FPGA circuits, there is network latency between software-based hosts that process the network IP packets through software layers. Using FPGA circuits allow the virtual network to interface directly with the hardware. The difference in latency (without FPGA) mid - 200 millisecond and (with FPGA) less than 10 millisecond latency. This single example illustrates the value of reviewing Azure preview features.
IaaS and PaaS Security
If you are new to Azure as a cloud provider, you need to identify the types of cloud services that are classified as infrastructure as a service (IaaS) or platform as a service (PaaS). In this book, we chose to remove conversations on software as a service (SaaS). If you want to learn about SaaS, please refer to the first edition of this book, Microsoft Azure: Planning, Deploying and Managing Your Data Center in the Cloud (Apress, 2015).
Azure provides foundational computing services; in fact, Azure is most recognized for its IaaS offerings. Examples of Azure IaaS offerings include Azure virtual machines and virtual networks, Azure storage solutions, and Azure recovery services. However, Azure is often mistaken as only an IaaS, when in fact, it has a large portfolio of PaaS offerings. Examples of its PaaS offerings include Azure SQL Database, Azure websites, Azure Content Delivery Network (CDN), and Azure Mobile Services.
Table 1-3 provides insight into Azure’s PaaS security.
Table 1-3
Microsoft Azure PaaS Security Considerations
Note
The National Institute of Standards and Technology (NIST) provides definitions of the cloud models in their SP-800-145 publication at https://csrc.nist.gov/publications/detail/sp/800-145/final.
Summary
This chapter provided an overview of things to consider when evaluating Azure’s geographically supported regions and availability zones. You learned about Azure accounts and subscriptions and how Azure is licensed. You learned how the Azure Resource Manager model leverages role-based access control and how RBAC supports Azure Active Directory. You also learned about Azure’s layers of security.
The remaining chapters provide deep dives and exercise examples of Azure core features with IaaS and PaaS. The complete code for all chapters are available on GitHub.
© Julian Soh, Marshall Copeland, Anthony Puca, and Micheleen Harris 2020
J. Soh et al.Microsoft Azurehttps://doi.org/10.1007/978-1-4842-5958-0_2
2. Overview of Azure Infrastructure as a Service (IaaS) Services
Julian Soh¹ , Marshall Copeland², Anthony Puca³ and Micheleen Harris¹
(1)
Washington, WA, USA
(2)
Texas, TX, USA
(3)
Colorado, CO, USA
The National Institute of Standards and Technology (NIST), a division of the US Department of Commerce, defines cloud computing as a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that are rapidly provisioned and released with minimal management effort or service provider interaction.
Within the NIST definition of cloud computing, three service models exist: software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS).
IaaS is defined as the consumer’s ability to provision processing, storage, networks, and other fundamental computing resources, where the consumer can deploy and run arbitrary software, which includes operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications; and possibly limited control of select networking components.
When this chapter was written, Microsoft Azure had 170 services, of which 55 were IaaS. In this chapter, we review the newest and most popular IaaS services and the major changes made to the existing ones. IaaS services run across all of Microsoft’s various Azure clouds and regions. There are 15 compute, 19 networking, and 16 storage services. A full list of services by category is at https://docs.microsoft.com/en-us/azure/index#pivot=products.
Azure Compute includes the following services.
Linux virtual machines
Windows virtual machines
Virtual machine availability sets
Virtual machine scale sets
Dedicated hosts
Proximity placement groups
Azure Batch
Azure Service Fabric
Azure Kubernetes Service (AKS)
CycleCloud
Azure VMware Solutions by CloudSimple
Azure Virtual Machines
Each of the Azure compute services offer various scalability and service-level agreements (SLAs), ranging from 99% to 99.99%. We’ll address this for each service reviewed in this chapter.
Each Azure virtual machine (VM) provides anywhere from 1 to 480 CPU cores or 960 CPU threads, which is the most compute power in the world. Memory-intensive workloads range from 1 GB to 24 TB for a single system, and local compute storage ranges from 4 GB to 64 TB and up to 160,000 IOPS, which is the input/output operations per second. This does not include the cloud storage options discussed later in this chapter.
Azure compute services offer networking speeds up to 100 Gbps InfiniBand interconnect.
One of the most overlooked aspects of virtual machines in Azure is the series. Too often, administrators provision virtual machines based on the number of cores and RAM, without understanding the underlying hardware architecture that the virtual machines reside on. Microsoft provides 12 hardware platforms for hosting virtual machines, and each one has a very specific purpose. The costs drastically differ.
Not all virtual machines are available in each Azure region. As discussed in Chapter 1, your workload may need to be in a specific Azure region due to hardware availability. For a detailed breakdown of the virtual machine series, refer to https://azure.microsoft.com/en-us/pricing/details/virtual-machines/series/. This page outlines not only the different underlying hardware architectures but also what each series is optimized for. The following list describes the virtual machine series.
A-series: Entry-level economical VMs for dev/test. Development and test servers, low traffic web servers, small to medium databases, servers for proofs-of-concept, and code repositories
Bs-series: Economical burstable VMs. Development and test servers, low-traffic web servers, small databases, microservices, servers for proofs-of-concept, build servers.
D-series: General-purpose compute: Enterprise-grade applications, relational databases, in-memory caching, and analytics. The latest generations are ideal for applications that demand faster CPUs, better local disk performance, or higher memories.
DC-series: Protect data in use. Confidential querying in databases, creation of scalable, confidential consortium networks, and secure multiparty machine learning algorithms. The DC-series VMs are ideal for building secure enclave-based applications to protect customers’ code and data while it’s in use.
E-series: Optimized for in-memory hyper-threaded applications. SAP HANA, SAP S/4 HANA, SQL Hekaton, and other large in-memory business-critical workloads.
F-series: Compute optimized virtual machines. Batch processing, web servers, analytics, and gaming.
G-series: Memory and storage optimized virtual machines. Large SQL and NoSQL databases, ERP, SAP, and data warehousing solutions.
H-series: High-performance computing virtual machines. Fluid dynamics, finite element analysis, seismic processing, reservoir simulation, risk analysis, electronic design automation, rendering, Spark, weather modeling, quantum simulation, computational chemistry, and heat-transfer simulation.
Ls-series: Storage-optimized virtual machines. NoSQL databases such as Cassandra, MongoDB, Cloudera, and Redis. Data warehousing applications and large transactional databases are great use cases as well.
M-series: Memory-optimized virtual machines. SAP HANA, SAP S/4 HANA, SQL Hekaton, and other large in-memory business-critical workloads requiring massive parallel compute power.
Mv2-series: Largest memory-optimized virtual machines. SAP HANA, SAP S/4 HANA, SQL Hekaton, and other large in-memory business-critical workloads requiring massive parallel compute power.
N-series: GPU-enabled virtual machines. Simulation, deep learning, graphics rendering, video editing, gaming, and remote visualization.
Note
Azure services that support a single solution can span multiple Azure regions.
Don’t worry about having all your cloud resources or services in the same Azure region. While some workloads may need this, traversing the Azure global network to get the service you need is not an issue thanks to high throughput and extremely low latency. For example, in the United States, a connection from the West Coast to the East Coast can be made in less than 60 ms (milliseconds). From Colorado, a user can connect to the East Coast in less than 45 ms. Your throughput may vary depending upon your location, the Internet service provider you’re using to connect to Azure, the connection type, and so forth. The point is to be aware that your cloud services may be in multiple regions, not just the closest one to you. This is discussed later in this chapter.
Azure virtual machines provide on-demand compute resources at the scale, size, and price